A security researcher has discovered vulnerabilities in the popular transportation app Moovit that could have allowed hackers to take control of user accounts, gain free rides, and access personal information, according to recent reports.

Exploitation of Vulnerabilities and Collection of Sensitive Data

Omer Attias, a security researcher at SafeBreach, identified three critical vulnerabilities in the Moovit app. These vulnerabilities enabled him to gather registration data from new Moovit users worldwide, including sensitive information such as cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Even more concerning, these bugs could have potentially allowed attackers to hijack user accounts and use their credit cards to pay for unauthorized rides.

Impersonation and Access to Personal Data

Attias explained the extent of the security flaws: “We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets. And additionally, we can access all of their personal information.” This could have resulted in a stealthy attack that went unnoticed by the victims, except for unexpected credit card charges.

Worldwide Impact and Rapid Response

Moovit is an Israeli startup that offers route information and public transportation maps. The vulnerabilities Attias discovered could have had a global impact, as Moovit operates in 3,500 cities across 112 countries. Despite the potential severity, Moovit assured that no malicious hackers exploited the vulnerabilities. The company confirmed that Attias reported the issues in September 2022, and they were promptly addressed and fixed.

Moovit’s Response and No Evidence of Data Breach

Moovit spokesperson Sharon Kaslassi emphasized that the vulnerabilities had been rectified and that no customer data had been accessed by malicious actors. Kaslassi clarified that the relevant ticketing service tied to the vulnerabilities was active only in Israel. Attias and his team countered, stating that the vulnerabilities could have potentially affected all customers, regardless of location. The situation underscores the importance of rigorous security testing and swift response to potential threats in the digital age.

A security researcher has discovered vulnerabilities in the popular transportation app Moovit that could have allowed hackers to take control of user accounts, gain free rides, and access personal information, according to recent reports.

Exploitation of Vulnerabilities and Collection of Sensitive Data

Omer Attias, a security researcher at SafeBreach, identified three critical vulnerabilities in the Moovit app. These vulnerabilities enabled him to gather registration data from new Moovit users worldwide, including sensitive information such as cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Even more concerning, these bugs could have potentially allowed attackers to hijack user accounts and use their credit cards to pay for unauthorized rides.

Impersonation and Access to Personal Data

Attias explained the extent of the security flaws: “We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets. And additionally, we can access all of their personal information.” This could have resulted in a stealthy attack that went unnoticed by the victims, except for unexpected credit card charges.

Worldwide Impact and Rapid Response

Moovit is an Israeli startup that offers route information and public transportation maps. The vulnerabilities Attias discovered could have had a global impact, as Moovit operates in 3,500 cities across 112 countries. Despite the potential severity, Moovit assured that no malicious hackers exploited the vulnerabilities. The company confirmed that Attias reported the issues in September 2022, and they were promptly addressed and fixed.

Moovit’s Response and No Evidence of Data Breach

Moovit spokesperson Sharon Kaslassi emphasized that the vulnerabilities had been rectified and that no customer data had been accessed by malicious actors. Kaslassi clarified that the relevant ticketing service tied to the vulnerabilities was active only in Israel. Attias and his team countered, stating that the vulnerabilities could have potentially affected all customers, regardless of location. The situation underscores the importance of rigorous security testing and swift response to potential threats in the digital age.